Discover Rootkits With Unhide

If your system has been rooted, you can't trust utilities like ps to show processes from the rootkit. For ferreting out nasties, you'll want to check out unhide and unhide.rb.

When your system is rooted, you can't trust most utilities to show processes from the rootkit. To identify the problem, check out unhide and unhide.rb.

If you've ever encountered a rootkit, you know the symptoms -- suddenly a box is sluggish or sending out gobs of network traffic -- but running top and ps aux show nothing that should be the culprit. One quick and dirty way to turn up the offending processes is to use the unhide utility or its Ruby counterpart unhide.rb. It's a helpful tool to have around for Linux server management.

The unhide utility is available, at least, on recent releases of Debian and Ubuntu. The Ruby script is available on Launchpad, but it's not available in any of the recent releases yet. I'd recommend grabbing both -- the legacy utility seems prone to false positives. It may still be useful, but I'd have both just in case. It's also unclear whether it's still under development -- the site for the utility 404s now. Both are open source software, of course.

The use is simple -- for unhide you have three options: proc, sys, and brute. The first two compare output from system information (/proc and system calls, respectively) against ps. The brute technique checks all process IDs. Just run (as root, naturally) unhide brute (or whatever option) and if it finds anything it will print out the process IDs that might be a problem.

Note that you'll also find an unhide-posix and unhide-tcp utility. The -posix utility is for pre-2.6 Linux systems. I suppose there might be a few people still running Linux 2.4 systems, but I can't imagine that it's very many. Fewer still that are actually concerned with security.

The unhide-tcp utility looks for TCP and (despite the name) UDP ports that are open, but not listed in netstat.

The unhide.rb utility is run without options. So far, I've found that it has fewer false positives than unhide on known-clean systems.

These aren't foolproof, of course -- but they're useful first-pass utilities on a system that you suspect might be compromised. It's good to have something quick-and-dirty to check for obvious signs of intrusion -- not all rootkits are written well. Next week I'll cover a couple more forensic utilities that can help search out problems a bit more thoroughly.

Joe 'Zonker'
Brockmeier is a freelance writer and editor with more than 10 years covering IT. Formerly the openSUSE Community Manager for Novell, Brockmeier has written for Linux Magazine, Sys Admin, Linux Pro Magazine, IBM developerWorks, Linux.com, CIO.com, Linux Weekly News, ZDNet, and many other publications. You can reach Zonker at jzb@zonker.net and follow him on Twitter.